Tools that help software developers write secure code are notably under-represented in today's corporate arsenals. The reason is that checking source code for security weaknesses is a difficult task, given the number of potential threats and the almost endless ways to code programs.

Fortify's Code Analysis Suite consists of two principal components: the Fortify Audit Workbench, which drives the source code analysis engine, and the Fortify Software Security Manager, which enables managers to track project security and modify the kinds of vulnerabilities that Fortify will detect.

The Workbench's source code analysis engine does all the heavy lifting. It's a Java application that reads through source code looking for specific vulnerabilities. It is guided by a set of rule packs that identify what specific items to look for. Rule packs for C/C++, C#, Java, JSP, and SQL come with the product.

Source In, Security Out

Fortify's analysis is done at a semantic, rather than syntactical, level. This means that the product understands what the code is doing. For example, it can map out data flows and recognize that untested, user-entered data -- always a potential threat -- has been passed to a routine. The routine might well be entirely correct in its functioning but unaware that the data passed to it has been corrupted in a way designed to unhinge the application. Because the Fortify engine understands the code, it can monitor execution and data flows through multiple modules and identify the points where unsafe data is touched without first being verified. Few solutions today can find intermodule security problems of this kind.

Fortify generates a large XML file containing data on all the vulnerabilities it finds. This file is then analyzed by the Workbench, which displays the information in a user-friendly format. Unless programmers are up-to-date on the nature of specific coding vulnerabilities, they are likely to be surprised by what Fortify flags. The product catches not only buffer over-runs and opportunities for SQL injection, but also more-esoteric issues.

For example, one form of attack consists of forcing an application to open so many files that it fails in a predictable manner. By hacking the application just so, a hacker can take over the code when this failure occurs. Hence, Fortify monitors file opening and closing, and suggests that files should be closed as soon as possible (rather than left open until the program closes them at exit) and that the return value of the close should be monitored.

Because the number of generated warnings can be rather large, the Audit Workbench automatically assigns them severity ratings and enables the creation of filters, so that only items of interest are displayed. The display not only lists the vulnerabilities and the explanations, but also takes developers directly to the offending line of code.

The analysis engine is intended to run on a build server. It is designed to slip easily into make files or Ant build files. It runs at speeds comparable to a compiler. In view of the fact that it need be run only on files modified since the last security audit, this does not represent significant overhead.

Perfecting the Process

The Fortify Software Security Manager, which is part of the enterprise edition of the Fortify suite, tracks the security progress of a project. Using it, a manager monitors the number of defects by type and can compare the count with previous audit results. Managers can also change the severity of specific vulnerabilities, depending on the nature of the company's business processes, and then track the resolution of just those items. Fortify's software makes this management process straightforward and intuitive. New rule packs, which are regularly updated by Fortify as crackers find new ways to identify and exploit vulnerabilities, are also added through this management console.

I ran Fortify on C/C++ and Java code bases from open source projects and applications developed by me, and I found the analysis to be deep and comprehensive. As it will for almost any developer, Fortify has led me to change the way I write many routines, which ultimately is the whole idea: improving security by making programmers more aware of security vulnerabilities. To this end, Fortify plans to release plug-ins for Eclipse and Visual Studio .Net that enable developers to quickly verify their code before checking it in to the source control systems.

The suite did have some shortcomings, mostly in secondary areas. One serious problem was its inability to change projects. When I closed an existing project in the Workbench and opened another, the display included data from both projects, which makes for nonsensical displays in the best cases, incorrect actions in the worst. The company is aware of this bug.

In addition, the GUI is cumbersome in many instances -- buttons are placed in unconventional places, they lead to unexpected features, and the help functions are frustratingly insufficient -- all of which make the product unnecessarily difficult to use. The other issue is pricing, which starts at $56,400 per CPU. (A team edition that lacks the manager console and the ability to write custom rules starts at $30,000.) Sure, closing a security loophole can be a nearly priceless improvement, but Fortify's price is certain to deter adoption at many sites.

Checking software for security vulnerabilities is something that needs to be done regularly by knowledgeable developers. Unfortunately, the necessary expertise is hard to come by. Many shops publish insecure code because they don't have the qualifications to perform good code reviews or the tools that can analyze their code deeply. Fortify's Source Code Analysis Suite provides a comprehensive solution that intelligently analyzes code bases and generates detailed, usable reports of vulnerabilities.

Andrew Binstock has reviewed hardware and software for InfoWorld for almost a decade. During that time, he was also the editor in chief of Dr. Dobb's. Previously, he was a technology analyst at Pricewaterhousecoopers. He is a long-time software developer and contributes to open-source projects. He is @platypusguy on Twitter.